Date: Mon, 24 Sep 2001 01:24:41 +0200 From: "Karl M. Joch" <k.joch@kmjeuro.com> To: "David Kirchner" <davidk@accretivetg.com>, <freebsd-security@freebsd.org> Subject: Re: New worm protection Message-ID: <060301c14487$048f79f0$0a05a8c0@ooe.kmjeuro.com> References: <20010923135836.Q85958-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
I have made a quick and may dirty solution which helps me alot on the
servers. it handles multiple error files. my error files are resetted onec
every 24h. so i dont get to big files.
############################################
# include trailing / in run & wrk
$run = "/usr/local/blockwins/";
$wrk = "/usr/local/blockwins/data/"; # create it in advance
$logfiles = "/usr/local/blockwins/logfiles"; # made by ls
/var/log/your-apache-error-logs
$domfile = "IPs";
$rule = "50"; # the ipfw rule you want to use
#*************************************************** end of config
# Datum vorfuellen:
chop($dat=`date "+%y/%m/%d %H:%M"`);
$cnt=0; # ips
$cnto=0; # ips old
$cnt2=0; # access
# create domain/register file if non existent:
dbmopen (%domains,"$wrk$domfile",0640);
dbmclose (%domains);
dbmopen (%domains,"$wrk$domfile",0640);
# GET OUR LOGFILES
open ("INPUT",$logfiles) || die "$0: cannot open $logfiles !\n";
while (<INPUT>) {
chop ($_);
open ("LOG",$_) || die "cannot open $_! \n";
while (<LOG>) {
## [Mon Sep 10 10:38:43 2001] [error] [client 193.215.176.192] File does
not exist: /usr/local/www/default.ida
$virus=0;
if (/winnt/) { $virus=1;};
if (/root.exe/) { $virus=1;};
if (/cmd.exe/) { $virus=1;};
if (/default.ida/) { $virus=1;};
if ($virus) {
#block them:
$results=$_;
$results=~ s/.*client ([0-9.]+).*\/(.*)$/$1##$2/;
($ip,$comm) = split(/##/,$results);
if ( $domains{$ip}) {
$cnt2++;
$domains{$ip}=$comm; ## last command
}
else {
$cnt++;
$domains{$ip}=$comm; ## last command
}
}
}
}
print
"########################################################################\n"
;
print "Angriffe von Code Red/Nimda \n";
print
"########################################################################\n"
;
print "DIFFERNT IPs: $cnt\n";
print
"########################################################################\n"
;
print "TOTAL ACCESS: $cnt2\n";
print
"########################################################################\n"
;
close (INPUT);
# NOW LETS CHECK EVERYTHING:
# clear the one rule:
@args = ("/sbin/ipfw $rule delete");
system(@args) == 0 or print "system @args failed: $?\n";
# add all of our idiots:
foreach $dom (sort keys %domains) {
$cnto++;
# print "$dom - denied access to the server with rule $rule\n";
@args = ("/sbin/ipfw $rule add deny all from $dom to any
>/dev/null");
system(@args) == 0 or die "system @args failed: $?";
}
print
"########################################################################\n"
;
print "All Rules (Total IPS: $cnto) added to Firewall\n";
print "Known Windows Systems denied access!\n";
print
"########################################################################\n"
;
dbmclose (%domains);
--
--
Best regards / Mit freundlichen Gruessen,
Karl M. Joch
KMJ Consulting - CTS Consulting & Trade Service
http://www.kmjeuro.com - http://www.ctseuro.com
k.joch@kmjeuro.com - k.joch@ctseuro.com
GSM : +43-664-3407888
Unsere Services:
http://www.proline.at - Netzwerk und Sicherheitstechnik
http://www.eushop.net - Onlineshop und Applikationen einfach mieten
http://www.freebsd.at - Power Operating System
----- Original Message -----
From: "David Kirchner" <davidk@accretivetg.com>
To: <freebsd-security@FreeBSD.ORG>
Sent: Sunday, September 23, 2001 11:00 PM
Subject: Re: New worm protection
> Would it be possible to create an accept-filter module (ala accf_http)
> that could take care of these and future similar filters, server-wide?
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?060301c14487$048f79f0$0a05a8c0>